Regarding the ATL language and tooling themselves, I encourage you to take a deep look into all the resources available from the ATL User Guide.

Concerning the specific problem of extracting security policies out of (UML) models, you can read the following paper and even directly contact its main author for getting more details on the presented work: http://dl.acm.org/citation.cfm?doid=2422498.2422503.